Method for loading software

ABSTRACT

The invention relates to a method for loading software into a target appliance in a vehicle control system having a number of appliances.  
     The following steps are provided according to the invention: subdivision of the loading process for one or more software modules into task elements, namely at least one monitoring appliance task, one update appliance task and one receiving appliance task, and assignment for carrying out the task elements to the target appliance, to the appliances and/or to a control appliance outside the vehicle control system, wherein the monitoring appliance task includes processing and passing on the control commands for the loading of the software module from outside the vehicle control system, the update appliance task includes controlling the loading of the software module between the target appliance, the appliances and/or the control appliance, and the receiving appliance task includes provision of an interface for the software module which is to be loaded from outside the vehicle control system.  
     Use, for example, in control systems for motor vehicles.

[0001] The invention relates to a method for loading software into a target appliance in a vehicle control system having a number of appliances, and to a vehicle control system for carrying out the method.

[0002] Laid-Open Specification DE 43 34 859 A1 discloses a device for programming electronic controllers in a motor vehicle, which is intended for initialization of the controllers on the production line. The controllers are connected to one another. One controller can communicate with an external programmer, with an existing transmitting/receiving device for the controller, for example an infrared locking system, being used for the communication process.

[0003] During the initialization of appliances, each appliance to be programmed must have sufficient computation power and sufficient free memory in order to carry out the tasks which occur during the programming process. The loading of new software versions, that is to say so-called updates, presents more stringent requirements than those during initialization since it may be necessary to back up already loaded software and the amount of free memory space is reduced since it is occupied by operating data. These more stringent requirements have to be satisfied, for example, by providing greater computation power and larger memories for appliances in a vehicle control system. On the other hand, vehicle control systems are subject to considerable cost pressure so that appliances which are intended to be fitted in large-scale production, in particular, must be designed to have as low cost as possible. Until now, loading of software in vehicle control systems has thus been restricted to the initialization of specific appliances on the production line and to the updating of specific appliances, which are generally provided as special equipment, such as navigation systems, which receive new data records via CDs (compact discs).

[0004] Laid-Open Specification DE 196 25 002 A1 discloses a vehicle communications system, in which appliance units for transmitting, receiving, detecting and/or processing data can be associated in a flexibly controllable manner with various telematics applications. This is intended to provide increased flexibility for carrying out telematics applications at low cost, with the intention of avoiding redundant fitment of the vehicle with identical appliances for different telematics applications.

[0005] The invention is based on the technical problem of providing a method for loading software into a target appliance in a vehicle control system and of providing a vehicle control system for carrying out the method, which place only minor requirements on the performance of the target appliance.

[0006] A method for loading software and having the features of Claim 1, as well as a vehicle control system having the features of Claim 9, are provided, according to the invention, for this purpose.

[0007] Since the process of loading a software module is sub-divided into task elements and the process for carrying out the task elements is assigned to a target appliance, appliances in the vehicle control system and/or to a control apparatus outside the vehicle control system, the tasks do not all need to be carried out by a single apparatus while loading the software module. It is thus possible to distribute the load, for example with regard to the computation performance and memory capacity, on the basis of the performance of the individual appliances. Most appliances in a vehicle control system are not part of the standard fit. Intelligent distribution of the task elements makes it possible to prevent the small number of standard appliances having to be upgraded and thus made more expensive in order to allow a software update. The definition of task elements corresponds to the definition of logical appliances. When the method is carried out, the task elements or the logical appliances are then assigned to the appliances which are actually physically present.

[0008] The task elements have a monitoring appliance task, which includes processing and passing on control commands for the loading of the software module from outside the vehicle control system, an update appliance task, which includes control of the process of loading the software module between the target appliance, the, appliances and/or the control appliance and a receiving appliance task, which includes provision of an interface for the software module to be loaded from outside the vehicle control system. Subdivision into these task elements is particularly suitable for a vehicle control system since this takes account of specific boundary conditions that occur in a vehicle control system. For example, vehicle control systems do not have powerful central computers which could generally be used to accept the main load during the loading process. In fact, different equipment variants differ considerably in terms of the performance of the installed appliances so that variable assignment of the task elements is the only way to allow the software to be loaded in different equipment variants. The high degree of flexibility of the method allows it to be used over a number of model cycles of a manufacturer.

[0009] The provision of a monitoring appliance task allows different appliances to be used as the interface to the outside world without having to modify the method for loading a software module. For example, the loading of one or more software modules can be controlled, by way of example, by an external diagnosis appliance or else by an input device in the vehicle itself. The same method can thus be used for updating controllers from the diagnosis computer and for updating a navigation system from the controller in the vehicle. The flexible assignment for carrying out the update appliance task also makes it possible to provide less powerful appliances in the vehicle control system with new software modules, since the control of the process of loading the software module can be assigned to a more powerful appliance.

[0010] The provision of a receiving appliance task allows just one physical appliance to be used for updating different appliances. The method can also be used without modification if software is intended to be loaded via an optionally provided mobile radio or CD ROM interface rather than via a diagnosis interface which is provided, by way of example, in the standard fit. When different data transmission rates are used outside the vehicle control system and in the networked vehicle control system, the receiving appliance task may include not only the reception of the data but also the temporary storage of the received data.

[0011] Advantageous refinements of the invention are specified in the dependent claims.

[0012] The definition of a configuration manager task allows computation-intensive compatibility checking during the loading of a software module in the case of vehicle control systems having a standard fit to be moved elsewhere and, for example, to be transferred to a diagnosis appliance. On the other hand, in variants with better equipment, the compatibility check can be carried out within the configuration manager task in the vehicle itself, for example by the customer himself when loading new software for a navigation system.

[0013] Since the data for the configuration management is carried directly together with the software in a version line and in a list of requirements, there is no need for costly central data storage. Only the evaluation of the data that is also carried is carried out centrally by the appliance to which the process of carrying out the configuration manager task has been assigned. Only as many central components as are necessary are therefore provided for compatibility checking, and the method is in consequence particularly suitable for a vehicle control system. Self-testing of the software configuration of the vehicle control system is also possible.

[0014] The provision of a backup appliance task, which includes backing up at least some of the software modules in the target appliance within the vehicle control system, allows already loaded software to be backed up even in the case of software updates which are carried out by the customer himself, for example from the CD ROM without any connection to an external diagnosis appliance, or else for example, via mobile radio for a software update. The flexible assignment of the backup appliance task makes it possible to choose an appliance which is particularly suitable for this purpose depending on the equipment variant.

[0015] The assignment of the process for carrying out the task elements is advantageously made as a function of the computation performance required for the task elements, of the memory space required for the task elements and/or of the time which is required for the storage of data in the target appliance and in the appliances in the vehicle control system. This allows computation-intensive memory-intensive, and/or time-critical task elements to be assigned to the respectively most suitable appliance for them.

[0016] Since a data transmission is made secure by cryptographic scrambling only outside the vehicle control system, the complexity can be reduced considerably in comparison to so-called end-to-end protection, so that standard fits of vehicle control systems can be designed to be simpler, despite having the capability to carry out an update. In particular, less computation power is required within the vehicle control system and, in general, the administrative complexity is decreased since fewer cryptographic keys need to be administered.

[0017] The technical problem on which the invention is based is also solved by a vehicle control system having the features of Claim 9. In the case of a vehicle control system such as this, the data which is required for carrying out a compatibility check within a configuration manager task is carried together with the software. For this purpose, the software modules which have already been loaded in the respective appliances in the vehicle control system each have a version line and a list of requirements. A vehicle control system such as this allows a compatibility check to be carried out for a software module to be loaded without any complex central data storage, since the required data is attached to the software modules themselves. A vehicle control system such as this is thus particularly highly suitable for production in different equipment variants, including standard fits.

[0018] Since the vehicle control system can be operated by means of a control appliance outside the vehicle control system, the configuration manager task can be carried out outside the vehicle control system, thus reducing the requirements for the appliances in the vehicle control system.

[0019] However, it is also advantageous for an appliance which is suitable for carrying out the configuration manager task to be provided in the vehicle control system since a compatibility check, specifically to determine whether the vehicle control system satisfies the hardware and software requirements for the software module to be loaded and whether the software module to be loaded satisfies the requirements for operation of the vehicle control system, can be carried out in the vehicle itself. This is advantageous, for example, when the data is transmitted by mobile radio or from a CD ROM when an update is intended to be carried out without connecting any external appliance.

[0020] Further features and advantages of the invention can be found in the attached drawing in conjunction with the following description. In the drawing:

[0021]FIG. 1 shows a schematic illustration of a first preferred embodiment of the method according to the invention and of the vehicle control system according to the invention, and

[0022]FIG. 2 shows a schematic illustration of the checks which are carried out in the course of the configuration manager task in a further preferred embodiment of the invention.

[0023]FIG. 1 shows, schematically, a vehicle control system according to one preferred embodiment of the invention, and illustrates one preferred embodiment of the method according to the invention. The vehicle control system is indicated in FIG. 1 by a target appliance 10 and an appliance I 20, which are networked to one another. To make the illustration clearer, no further appliances in the vehicle control system are illustrated. A control appliance outside the vehicle control system is represented by a diagnosis tester 30, which is connected to the vehicle control system. In the illustrated embodiment, the diagnosis test 30 carries out a monitoring appliance task, by processing and passing on control commands for loading the software module outside the vehicle control system. The diagnosis tester 30 thus represents the interface to the outside world, via which an operator causes the software module to be loaded and receives acknowledgments related to the progress of the method.

[0024] The software module is intended to be loaded in the target appliance 10. The target appliance 10 thus carries out an update appliance task by controlling the loading process of the software module between the target appliance 10 and the appliance I 20 and the diagnosis tester 30, as well as a receiving appliance task, by providing an interface for the software module to be loaded from outside the vehicle control system, namely from the diagnosis tester 30, as well as a backup appliance task, by backing up software modules that have already been loaded into the target appliance 10 before the new software module is loaded.

[0025] The appliance I 20 carries out a configuration manager task by checking whether the vehicle control system satisfies the hardware and software requirements for the software module to be loaded, and whether the software module to be loaded satisfies the requirements for operation of the vehicle control system.

[0026] Thus, in the present case, various task elements related to the loading process are assigned to different appliances, namely to the diagnosis tester 30, to the target appliance 10 and to the appliance I 20. In other words, the diagnosis tester 30 is assigned the tasks of a monitoring appliance, the target appliance 10 is assigned the tasks of a target appliance, of an update appliance, of a receiving appliance and of a backup appliance, and the appliance I 20 is assigned the tasks of a configuration manager. The computation and memory load for the update process is thus distributed on the basis of the capabilities of the individual appliances.

[0027] The update process is started by an update quest from the diagnosis tester 30. Together with, the update request, the diagnosis tester 30 sends monitoring data to the target appliance 10. Within the update appliance task, the target appliance 10 uses this monitoring data and its internal status to generate configuration data for configuration management.

[0028] This configuration data is sent to the appliance I 20 which then, within the configuration manager task, checks whether the new configuration is or is not compatible with the overall system, specifically whether the software module to be loaded satisfies the requirements for the vehicle control system, and vice versa. The appliance I 20 sends this information to the target appliance 10. In the illustrated situation, the checking of the new configuration has ended with a positive, result, so that the appliance I 20 sends the information “Configuration OK” to the target appliance 10.

[0029] The target appliance 10 also checks whether its internal state allows a software update, and whether the memory space required for the update process is available in the target appliance 10. Within the updated appliance task, the target appliance 10 then sends the acknowledgment “Configuration and State OK”, indicating that an update is possible, to the diagnosis tester 30.

[0030] The appliance 10 uses the monitoring data which is transmitted together with the update request by the diagnosis tester 30 within the monitoring appliance task to identify which parts of the software must be backed up before loading the new software module. Within the backup appliance task, the target appliance 10 then backs up the already loaded software. This backup process can be carried out within the vehicle control system, for example in the target appliance 10 itself, by moving it to another appliance in the vehicle control system, or externally for example by means of a backup in the diagnosis tester outside the vehicle control system. The process of backing up the already loaded software is initiated by once again transmitting an update request and backup command from the diagnosis tester 30. Once the backup process has been completed, the target appliance 10 sends back the message “Backup OK” to the diagnosis tester 30.

[0031] Once the backup process has been successfully completed, the target appliance 10 receives, within the update appliance task, the new software module together with a checksum, for example CRC, and a signature. The target appliance 10 temporarily stores the new software module and thus carries out a receiving appliance task, by providing an interface between the diagnosis tester 30 outside the vehicle control system and the vehicle control system itself. For example, the new software module can be transmitted from the diagnosis tester 30 to the target appliance 10 at a different data transmission rate than that used in the vehicle control system itself, to be precise between the target appliance 10 and the appliance I 20. The temporary storage of the new software module means that the incoming data is buffered and can be passed on at the data transmission rate that is used in the vehicle control system.

[0032] The new software module is decompressed, the signature is checked and the new software module is stored in the target appliance 10. A checksum, for example CRC, is calculated and checked. Furthermore, the successful installation of the new software module is tested.

[0033] If the checks of the signature, of the checksum and of the installation are successful, the target appliance 10 produces, within the update appliance task, configuration data and sends this data to the appliance I 20 which, within the configuration manager task, stores the new configuration, which is now up to date. Once the configuration has been stored, the appliance I 20 sends an acknowledgment “Configuration OK”.

[0034] After receiving this acknowledgment from the appliance I 20, the target appliance enables the installation of the new software module. This is done by the target appliance 10 identifying the new software module as being valid and by erasing the previously stored old software.

[0035] Finally, the update appliance passes an acknowledgment of the successful software update to the monitoring appliance, in the present case to the diagnosis tester 30. Successful completion of the update can then be indicated on the diagnosis tester 30 for an operator.

[0036] One preferred sequence for a configuration check for a further embodiment of the method according to the invention for loading software using a vehicle control system according to the invention will be explained in the following text with reference to FIG. 2. Each software module is a software unit which can be interchanged and/or newly loaded. Each software module has a version line which includes the title of the target appliance, the module name, an identification for local or external use and the version number as well as, optionally, further details. In the situation where the software modules m1 and m2 are to be loaded as shown in FIG. 2, the title of the target appliance is D1 and one software module has the name m1, indicating exclusively internal use by the letter l and the software module m1 is to version v1.1. The version line of the software module m1 accordingly reads D1.m1 l v1.1.

[0037] The software module m1 also includes a list of requirements for other software modules in it. The list of requirements includes identifications for appliances to which access is intended from the software module m1 to be loaded, the titles of the software modules which are required by the software module m1 to be loaded in the appliances to which access is intended, as well as the version number of the required software modules. In the case of the software module m1, access is intended to an appliance D2 in which the software module m1 to be loaded requires version 1.x of a software module m9. The list of requirements for the software module m1 is accordingly D2.m9 1.x.

[0038] The software modules included in the list of requirements must already have been loaded in the stated version, in the vehicle control system. The software modules m1 and m2 to be newly loaded are checked in the configuration check in an appliance 40. The appliance 40 is located within the vehicle control system, although the configuration check can also be carried out by an external appliance. Compatibility of the software module m1 with the vehicle control system is now checked by checking the lists of requirements for the software modules which have already been loaded in the vehicle control system, in a first check. As can be seen from the illustration in FIG. 2, the list of requirements for the software module m2 in the appliance D1 is empty, so that the module m2 does not place any requirements, for example, on the software module m1. The software module m1 is also not available for external use from the appliance D1, as is indicated by the letter l in the version line of the module m1. Further software modules on other appliances, that is to say the module mg on the appliance D2 in the illustrated case, therefore have no requirements for the software module m1.

[0039] In a second check, the requirements of the software modules m1 and m2 to be loaded on the software modules which have already been loaded in the vehicle control system are checked. This is done using the list of requirements for the software module m1 or m2. In the example shown in FIG. 2, based on its list of requirements for the appliance D2, the software module m1 requires version 1.x of the software module m9, that is to say the second digit of the version number is undefined. Within the configuration manager task, the appliance 40 compares the list of requirements of the software module m1 with the version line of the software module x1 which has already been loaded in the appliance D2. The version line of the software module x1 is D2 m9e. v1.4. The version line includes the title of the software module m9 as well as the letter e, which represents external use of the software module m9 in the appliance D2. The software module m9 in the appliance D2. The software module m9 in the appliance D2 is to version v1.4. A comparison of the list of requirements D2.m9 1.x of the software module m1 with the version line m9 e v1.4 of the software module m9 shows that the requirements of the software module m1 are satisfied by the software module m9. Analogously to this, m2 is then checked, and all the requirements are satisfied in this case as well. As a consequence of this the appliance 40 can output an “OK” message in order to end the configuration check, indicating that the new software module m1 can be loaded into the appliance D1. 

1. Method for loading software into a target appliance in a vehicle control system having a number of appliances, characterized by the following steps: subdivision of the loading process for one or more software modules (m1, m2) into task elements, namely at least one monitoring appliance task, one update appliance task and one receiving appliance task, and assignment for carrying out the task elements to the target appliance (10; D1), to the appliances (20; 40, D2) and/or to a control appliance (30) outside the vehicle control system, wherein the monitoring appliance task includes processing and passing on the control commands for the loading of the software module (m1) from outside the vehicle control system, the update appliance task includes controlling the loading of the software module (m1) between the target appliance (10, D1), the appliances (20; 40, D2) and/or the control appliance (30), and the receiving appliance task includes provision of an interface for the software module (m1) which is to be loaded from outside the vehicle control system.
 2. Method for loading software according to claim 1, characterized by further subdivision of the loading process for the software module (m1) into a configuration manager task, which includes a check as to whether the vehicle control system satisfies the hardware and software requirements of the software module (m1) to be loaded, and whether the software module (m1) to be loaded satisfies the requirements for operation of the vehicle control system.
 3. Method for loading software according to claim 2, characterized in that the software modules (m1, m2) to be loaded are provided with in each case one version line and a list of requirements, with the version line having a title for the software module (m1, m2) to be loaded, an identification for the target appliance (D1), an idehtification (1, e) for internal or external use of the software module (m1) to be loaded in the target appliance (D1), as well as a version number (v1.1) for the software module (m1) to be loaded, and the list of requirements having identifications for appliances (D2) to which access by the software module (m1) to be loaded is envisaged, having the titles of the software modules (m9) which are required by the software module (m1) to be loaded in the appliances (D2) to which access is intended, and having version numbers (1.x) for the required software module (m9), and the configuration manager task including a first check, in which the requirements for software modules (m2, m9) which are already loaded in the target appliance (D1) and in the appliances (D2) are checked against the software module (m1) to be loaded, using the version line of the software module (m1) to be loaded and using lists of requirements of the already-loaded software modules (m2, m9) and a second check, in which the requirements for the software module (m1) to be loaded are checked against the software modules which have already been loaded in the target appliance (D1) and in the appliances (D2) using the list of requirements of the software module (m1) to be loaded and version lines of the already-loaded software modules (m2, m9).
 4. Method for loading software according to claim 2 or 3, characterized in that the configuration manager task is carried out by an appliance (20; 40) in the vehicle control systems.
 5. Method for loading software according to claim 2 or 3, characterized in that the configuration manager task is carried out by the control appliance outside the vehicle.
 6. Method for loading software according to one of the preceding claims, characterized by further subdivision of the loading process for the software module into a backup appliance task, which includes backing up of at least some of the software modules which have already been loaded in the target appliance (10; D1), within the vehicle control system.
 7. Method for loading software according to one of the preceding claims characterized in that the assignment for carrying out the task elements is made as a function of the computation power required for the task elements, of the memory space required for the task elements, and/or of the time required in the target appliance (10; D1) and in the appliances (20; 40, D2) for the storage of data.
 8. Method for loading software according to one of the preceding claims, characterized in that security for data transmission is provided by cryptographic scrambling only outside the vehicle control system.
 9. Vehicle control system for carrying out a method according to one of the preceding claims, characterized in that, in order to carry out a configuration manager task which includes a check as to whether the vehicle control system satisfies the hardware and software requirements for the software module (m1) to be loaded, and whether the software module (m1) to be loaded satisfies the requirements for operation of the vehicle control system, software modules (m1, m2, m9) which have already been loaded in a respective appliance (D1, D2) in the vehicle control system each include a version line and a list of requirements, wherein the version line has a title for the already-loaded software module (m1, m9), an identification (1, e) for internal or external use of the already-loaded software module (m1, m9) in the respective appliance (D1, D2) and a version number (v1.0, v1.4) for the already-loaded software module (m1, m9), and the list of requirements has identifications for appliances to which access by the already-loaded software module is intended, titles of software modules which are required by the already loaded software module in the appliances to which access is intended, as well as version numbers of the required software modules.
 10. Vehicle control system according to claim 9, characterized in that the vehicle control system can be operated by a control appliance outside the vehicle control system, in order to carry out the configuration manager task.
 11. Vehicle control system according to claim 9 or 10, characterized in that an appliance (20; 40) which is suitable for carrying out the configuration manager task is provided in the vehicle control system. 